Analysis
-
max time kernel
40s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
01-12-2022 18:34
Errors
General
-
Target
bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9.exe
-
Size
17KB
-
MD5
1f54db8e2133f535609b3eda1db7d869
-
SHA1
32a038fd9fc7acca9886e54c860949d0b3a93599
-
SHA256
bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9
-
SHA512
df62fe3f0c5178dc69b1db65c2ae8a5f062f5443e4cc2a26735a38d0ee38c38483add46ae2627d23d8a28b4fdabbbea792d6a1f785c949326e292f75db079d4b
-
SSDEEP
384:/AhgmZnWs/FBSPGvBm/Qbw7gZTErM/JtnObH0/RtDlFjBsEu:/2gB7GpmaH/JQL0/rC
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9.exe"C:\Users\Admin\AppData\Local\Temp\bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9.exeC:\Users\Admin\AppData\Local\Temp\bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9.exe2⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x2z8.exeC:\Users\Admin\AppData\Local\Temp\\x2z8.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x2z8.exeC:\Users\Admin\AppData\Local\Temp\x2z8.exe4⤵
- Executes dropped EXE
- Deletes itself
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5601⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fpath.txtFilesize
102B
MD53afbf70daa7e058bea4db2e3a2ad36c4
SHA1748df8998d66d59d4277c8b1e1b8e729bd14f694
SHA25603a7b531eced0db2b1960d8ae4271829912b2fe3a4d4519358995cc299042d36
SHA51214524f55f1defadc8da6c3d9ccffffeb99de9647eb88d3bbcbf60fa9d19a4ad61052c7808c1fd40027d9b6291c59ad643e444bbe27d953464e78b0da455651d3
-
C:\Users\Admin\AppData\Local\Temp\x2z8.exeFilesize
17KB
MD51f54db8e2133f535609b3eda1db7d869
SHA132a038fd9fc7acca9886e54c860949d0b3a93599
SHA256bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9
SHA512df62fe3f0c5178dc69b1db65c2ae8a5f062f5443e4cc2a26735a38d0ee38c38483add46ae2627d23d8a28b4fdabbbea792d6a1f785c949326e292f75db079d4b
-
C:\Users\Admin\AppData\Local\Temp\x2z8.exeFilesize
17KB
MD51f54db8e2133f535609b3eda1db7d869
SHA132a038fd9fc7acca9886e54c860949d0b3a93599
SHA256bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9
SHA512df62fe3f0c5178dc69b1db65c2ae8a5f062f5443e4cc2a26735a38d0ee38c38483add46ae2627d23d8a28b4fdabbbea792d6a1f785c949326e292f75db079d4b
-
C:\Users\Admin\AppData\Local\Temp\x2z8.exeFilesize
17KB
MD51f54db8e2133f535609b3eda1db7d869
SHA132a038fd9fc7acca9886e54c860949d0b3a93599
SHA256bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9
SHA512df62fe3f0c5178dc69b1db65c2ae8a5f062f5443e4cc2a26735a38d0ee38c38483add46ae2627d23d8a28b4fdabbbea792d6a1f785c949326e292f75db079d4b
-
\Users\Admin\AppData\Local\Temp\x2z8.exeFilesize
17KB
MD51f54db8e2133f535609b3eda1db7d869
SHA132a038fd9fc7acca9886e54c860949d0b3a93599
SHA256bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9
SHA512df62fe3f0c5178dc69b1db65c2ae8a5f062f5443e4cc2a26735a38d0ee38c38483add46ae2627d23d8a28b4fdabbbea792d6a1f785c949326e292f75db079d4b
-
\Users\Admin\AppData\Local\Temp\x2z8.exeFilesize
17KB
MD51f54db8e2133f535609b3eda1db7d869
SHA132a038fd9fc7acca9886e54c860949d0b3a93599
SHA256bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9
SHA512df62fe3f0c5178dc69b1db65c2ae8a5f062f5443e4cc2a26735a38d0ee38c38483add46ae2627d23d8a28b4fdabbbea792d6a1f785c949326e292f75db079d4b
-
\Users\Admin\AppData\Local\Temp\x2z8.exeFilesize
17KB
MD51f54db8e2133f535609b3eda1db7d869
SHA132a038fd9fc7acca9886e54c860949d0b3a93599
SHA256bd3cf8dbf50c46c72d1b512d9a0185d8127e0e3a8735d93bf87fdf0a5843c7c9
SHA512df62fe3f0c5178dc69b1db65c2ae8a5f062f5443e4cc2a26735a38d0ee38c38483add46ae2627d23d8a28b4fdabbbea792d6a1f785c949326e292f75db079d4b
-
memory/536-54-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/748-59-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/748-66-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/748-62-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/748-60-0x0000000000401600-mapping.dmp
-
memory/748-57-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/748-56-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/748-55-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/916-76-0x0000000000401600-mapping.dmp
-
memory/916-81-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/1712-65-0x0000000000000000-mapping.dmp
-
memory/1712-68-0x0000000000400000-0x0000000000411000-memory.dmpFilesize
68KB
-
memory/1756-82-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmpFilesize
8KB